public void Build_ForAllHeaders_WhenNotUsingNonce_HasPerRequestValuesReturnsTrue()
{
var builder = new CspBuilder();
builder.AddDefaultSrc().Self().Blob().Data().From("http://testUrl.com");
builder.AddConnectSrc().Self().Blob().Data().From("http://testUrl.com");
builder.AddFontSrc().Self().Blob().Data().From("http://testUrl.com");
builder.AddObjectSrc().Self().Blob().Data().From("http://testUrl.com");
builder.AddFormAction().Self().Blob().Data().From("http://testUrl.com");
builder.AddWorkerSrc().Self().Blob().Data().From("http://testUrl.com");
builder.AddImgSrc().Self().Blob().Data().From("http://testUrl.com");
builder.AddStyleSrc().Self().Blob().Data().From("http://testUrl.com");
builder.AddMediaSrc().Self().Blob().Data().From("http://testUrl.com");
builder.AddFrameAncestors().Self().Blob().Data().From("http://testUrl.com");
builder.AddBaseUri().Self().Blob().Data().From("http://testUrl.com");
builder.AddUpgradeInsecureRequests();
builder.AddBlockAllMixedContent();
// add nonce
builder.AddScriptSrc().WithNonce();
var result = builder.Build();
result.HasPerRequestValues.Should().BeTrue();
}
public void Build_WhenNoValues_ReturnsNull()
{
var builder = new CspBuilder();
var result = builder.Build();
result.Should().BeNullOrEmpty();
}
public void Build_WhenNoValues_HasPerRequestValuesReturnsFalse()
{
var builder = new CspBuilder();
var result = builder.Build();
result.HasPerRequestValues.Should().BeFalse();
}
public void SetBlockAllMixedContent_SetsBlockAllMixedContentToTrue()
{
var builder = new CspBuilder();
builder.SetBlockAllMixedContent();
CspOptions options = builder.BuildCspOptions();
Assert.True(options.BlockAllMixedContent);
}
public void SetUpgradeInsecureRequests_SetsUpgradeInsecureRequestsToTrue()
{
var builder = new CspBuilder();
builder.SetUpgradeInsecureRequests();
CspOptions options = builder.BuildCspOptions();
Assert.True(options.UpgradeInsecureRequests);
}
public void SetReportOnly_SetsReportOnlyToTrue()
{
var builder = new CspBuilder();
builder.SetReportOnly();
CspOptions options = builder.BuildCspOptions();
Assert.True(options.ReportOnly);
}
public void EnableSandbox_EnablesTheSandbox()
{
var builder = new CspBuilder();
builder.EnableSandbox();
CspOptions options = builder.BuildCspOptions();
Assert.True(options.EnableSandbox);
}
public void ReportViolationsTo_SetsTheReportUri()
{
var builder = new CspBuilder();
builder.ReportViolationsTo("/somewhere");
CspOptions options = builder.BuildCspOptions();
Assert.Equal("/somewhere", options.ReportUri);
}
public void Build_AddUpgradeInsecureRequests_AddsValue()
{
var builder = new CspBuilder()
.AddUpgradeInsecureRequests();
var result = builder.Build();
result.Should().Be("upgrade-insecure-requests");
}
public void Build_AddBlockAllMixedContent_AddsValue()
{
var builder = new CspBuilder()
.AddBlockAllMixedContent();
var result = builder.Build();
result.Should().Be("block-all-mixed-content");
}
public void IncludeXHeader_SetsIncludeXHeaderToTrue()
{
var builder = new CspBuilder();
builder.IncludeXHeader();
CspOptions options = builder.BuildCspOptions();
Assert.True(options.IncludeXHeader);
}
/// <summary>
/// Adds a Content Security Policy header
/// to the response.
/// </summary>
/// <param name="app">The <see cref="IApplicationBuilder"/></param>
/// <param name="builderAction">Configuration action for the header.</param>
/// <returns>The <see cref="IApplicationBuilder"/></returns>
public static IApplicationBuilder UseCsp(this IApplicationBuilder app, Action <CspBuilder> builderAction)
{
var builder = new CspBuilder();
builderAction(builder);
CspOptions options = builder.BuildCspOptions();
return(app.UseMiddleware <CspMiddleware>(new OptionsWrapper <CspOptions>(options)));
}
public void Build_ReportUri_AddsValue()
{
var builder = new CspBuilder()
.AddReportUri()
.To("http://testUrl.com");
var result = builder.Build();
result.Should().Be("report-uri http://testUrl.com");
}
public void WithPrefetch_ReturnsCorrectHeader()
{
var builder = new CspBuilder();
builder.AllowPrefetch.From("https://www.google.com");
var headerValue = builder.BuildCspOptions().ToString(null).headerValue;
Assert.Equal("prefetch-src https://www.google.com", headerValue);
}
public void RequireSriFor_ReturnsCorrectHeader()
{
var builder = new CspBuilder();
builder.RequireSri.ForScripts();
var headerValue = builder.BuildCspOptions().ToString(null).headerValue;
Assert.Equal("require-sri-for script", headerValue);
}
public void WithFramesAndWorkers_ReturnsCorrectHeader()
{
var builder = new CspBuilder();
builder.AllowFrames.From("https://www.google.com");
builder.AllowWorkers.FromSelf().OnlyOverHttps();
var headerValue = builder.BuildCspOptions().ToString(null).headerValue;
Assert.Equal("frame-src https://www.google.com;worker-src 'self' https:", headerValue);
}
public void Build_CustomDirective_AddsValues()
{
var builder = new CspBuilder();
builder.AddCustomDirective("report-to");
builder.AddCustomDirective("plugin-types", "application/x-shockwave-flash");
var result = builder.Build();
result.Should().Be("report-to; plugin-types application/x-shockwave-flash");
}
public void Build_AddingTheSameDirectiveTwice_OverwritesThePreviousCopy()
{
var builder = new CspBuilder();
builder.AddDefaultSrc().Self();
builder.AddDefaultSrc().None();
var result = builder.Build();
result.Should().Be("default-src 'none'");
}
/// <summary>
/// Configure a content security policy
/// </summary>
/// <param name="configure">Configure the CSP</param>
/// <param name="asReportOnly">If true, the header is added as report only</param>
/// <returns>The configured <see cref="ContentSecurityPolicyHeader "/></returns>
public static ContentSecurityPolicyHeader Build(Action <CspBuilder> configure, bool asReportOnly)
{
var builder = new CspBuilder();
configure(builder);
var cspResult = builder.Build();
return(cspResult.HasPerRequestValues
? new ContentSecurityPolicyHeader(cspResult.Builder, asReportOnly)
: new ContentSecurityPolicyHeader(cspResult.ConstantValue, asReportOnly));
}
/// <summary>
/// Adds just the basic Csp
/// </summary>
/// <param name="csp"></param>
/// <param name="reportUri"></param>
/// <returns></returns>
public static CspBuilder AddDefaultCsp(this CspBuilder csp, string reportUri)
{
if (!string.IsNullOrWhiteSpace(reportUri))
{
csp.AddReportUri().To(reportUri);
}
csp.AddBlockAllMixedContent();
csp.AddDefaultSrc().Self();
csp.AddFontSrc().Self().Data();
csp.AddStyleSrc().Self().UnsafeInline();
return(csp);
}
public void Build_AddFormAction_WhenAddsMultipleValue_ReturnsAllValues()
{
var builder = new CspBuilder();
builder.AddFormAction()
.Self()
.Blob()
.Data()
.From("http://testUrl.com");
var result = builder.Build();
result.Should().Be("form-action 'self' blob: data: http://testUrl.com");
}
public void Build_AddObjectSrc_WhenAddsMultipleValue_ReturnsAllValues()
{
var builder = new CspBuilder();
builder.AddObjectSrc()
.Self()
.Blob()
.Data()
.From("http://testUrl.com");
var result = builder.Build();
result.Should().Be("object-src 'self' blob: data: http://testUrl.com");
}
public void Build_AddBaseUri_WhenAddsMultipleValue_ReturnsAllValues()
{
var builder = new CspBuilder();
builder.AddBaseUri()
.Self()
.Blob()
.Data()
.From("http://testUrl.com");
var result = builder.Build();
result.Should().Be("base-uri 'self' blob: data: http://testUrl.com");
}
public void Build_AddFrameAncestors_WhenAddsMultipleValue_ReturnsAllValues()
{
var builder = new CspBuilder();
builder.AddFrameAncestors()
.Self()
.Blob()
.Data()
.From("http://testUrl.com");
var result = builder.Build();
result.Should().Be("frame-ancestors 'self' blob: data: http://testUrl.com");
}
public void Build_AddDefaultSrc_WhenAddsMultipleValueEnumerable_ReturnsAllValues()
{
var builder = new CspBuilder();
builder.AddDefaultSrc()
.Self()
.Blob()
.Data()
.From(new [] { "http://testUrl.com", "http://testUrl2.com" });
var result = builder.Build();
result.ConstantValue.Should().Be("default-src 'self' blob: data: http://testUrl.com http://testUrl2.com");
}
public async Task OnSendingHeader_ShouldNotSendTest()
{
var builder = new CspBuilder();
builder.OnSendingHeader = context =>
{
context.ShouldNotSend = true;
return(Task.CompletedTask);
};
var sendingHeaderContext = new CspSendingHeaderContext(null);
await builder.BuildCspOptions().OnSendingHeader(sendingHeaderContext);
Assert.True(sendingHeaderContext.ShouldNotSend);
}
public void Build_AddDefaultSrc_WhenIncludesNone_OnlyWritesNone()
{
var builder = new CspBuilder();
builder.AddDefaultSrc()
.Self()
.Blob()
.Data()
.From("http://testUrl.com")
.None();
var result = builder.Build();
result.Should().Be("default-src 'none'");
}
public void Build_AddStyleSrc_WhenAddsMultipleValue_ReturnsAllValues()
{
var builder = new CspBuilder();
builder.AddStyleSrc()
.Self()
.ReportSample()
.Blob()
.Data()
.From("http://testUrl.com");
var result = builder.Build();
result.ConstantValue.Should().Be("style-src 'self' 'report-sample' blob: data: http://testUrl.com");
}
public void Build_AddSrciptSrc_WhenAddsInsecureValues_ReturnsAllValues()
{
var builder = new CspBuilder();
builder.AddScriptSrc()
.Self()
.UnsafeEval()
.UnsafeInline()
.StrictDynamic()
.ReportSample()
.From("http://testUrl.com");
var result = builder.Build();
result.Should().Be("script-src 'self' 'unsafe-eval' 'unsafe-inline' 'strict-dynamic' 'report-sample' http://testUrl.com");
}
public void Build_AddSrciptSrc_WhenAddsNonce_HasPerRequestValuesReturnsTrue()
{
var builder = new CspBuilder();
builder.AddScriptSrc()
.Self()
.UnsafeEval()
.UnsafeInline()
.StrictDynamic()
.ReportSample()
.WithNonce()
.From("http://testUrl.com");
var result = builder.Build();
result.HasPerRequestValues.Should().BeTrue();
}
